comp30172: advanced algorithms - automata-based verification...

Infinite Word Automata

COMP30172: Advanced Algorithms

Automata-based Verification - III

Howard Barringer

Room KB2.20: email: [email protected]

March 2009

Third Topic

Infinite Word AutomataMotivationBuchi AutomataBA OperationsInfinite Word Model CheckingWhere next

Outline

Motivation

We defined a Kripke structure as representing infinite runs of agiven concurrent program

Temporal logic formulas may also relate to infinite sequences

We must extend the finite word model checking to handle infinitewords

We use infinite word automata, usually a generalised form of Buchiautomaton

Outline

About Infinite Word Automata

• An infinite word automaton has similar structure to a finiteword automaton

• There is still a finite set of states

• A different method is required to determine acceptable(infinite) runs

• Hence, we change the notion of final state set to be a set ofaccepting states

More formally ...

A Buchi automaton is a structure

BA = (S ,Σ,T ,S0,A)

S is a set of statesΣ is an alphabetT is a labelled transition relation, ⊆ (S × Σ× S)S0 is a distinguished set of initial states, ⊆ SA is a distinguished set of accepting states, ⊆ S

The language of a Buchi Automaton

A infinite word w over an alphabet Σ is a infinite sequence ofsymbols of Σ, i.e. w ∈ Σω.

A run r of a Buchi automaton BA = (S ,Σ,T ,S0,A) on infiniteword w is a sequence of states r = s0s1s2 . . . such that(si ,wi , si+1) ∈ T for all i ∈ N}.Let inf (r) denote the subset of states S that occur infinitely in r .

An infinite word w is accepted by a Buchi automaton BA if thereis a run r on w and s0 ∈ S0 and inf (r) ∩ A 6= {}.The language L of an Buchi automaton BA = (S ,Σ,T ,S0,A) isthe subset of infinite words w over Σ accepted by BA.

A run r of a Buchi automaton BA = (S ,Σ,T ,S0,A) on infiniteword w is a sequence of states r = s0s1s2 . . . such that(si ,wi , si+1) ∈ T for all i ∈ N}.

Let inf (r) denote the subset of states S that occur infinitely in r .

An infinite word w is accepted by a Buchi automaton BA if thereis a run r on w and s0 ∈ S0 and inf (r) ∩ A 6= {}.

The language L of an Buchi automaton BA = (S ,Σ,T ,S0,A) isthe subset of infinite words w over Σ accepted by BA.

Examples

Consider the Buchi automaton

over alphabet Σ = {p, q}, with S = {s0, s1}, S0 = {s0} andA = {s1}.

Give some examples of (infinite) words that it accepts.

Give some examples of words that it does not accept.

Examples

More examplesAssume Σ is 2AP , i.e. elements of Σ are subsets of propositions.

The set of transitions is:(s0, {}, s0), (s0, {in1}, s0), (s0, {in2}, s0),(s0, {in1, in2}, s1),(s1, {}, s1), (s1, {in1}, s1), (s1, {in2}, s1), (s1, {in1, in2}, s1)

More conveniently, we can use propositional formulas as labels:

(s0,¬(in1 ∧ in2), s0), (s0, in1 ∧ in2, s1), (s1, true, s1)

This BA represents precisely the set of (infinite) paths for:

Always ¬(in1 ∧ in2)

A Liveness Property

Consider a Buchi automaton corresponding to the linear temporallogic formula

Always Sometime p

over the proposition alphabet AP = {p, q}Draw a suitable automaton structure.

Outline

Set-theoretic operations on BA

Buchi automata define the class of ω-regular languages, e.g. thoserepresentable as ω-regular expressions

αβω

where α and β denote regular expressions.

Buchi automata are closed under intersection and complement.

In particular, given languages LM say representing the execution paths ofa program or model, and LS representing the allowable, i.e. specified,paths, we will want to determine whether LM ⊆ LS , i.e. whether

LM ∩ LS = {}

What are the corresponding operations on Buchi automata?

Set-theoretic operations on BA

Buchi automata define the class of ω-regular languages, e.g. thoserepresentable as ω-regular expressions

αβω

where α and β denote regular expressions.

Buchi automata are closed under intersection and complement.

In particular, given languages LM say representing the execution paths ofa program or model, and LS representing the allowable, i.e. specified,paths, we will want to determine whether LM ⊆ LS , i.e. whether

LM ∩ LS = {}

What are the corresponding operations on Buchi automata?

Checking for emptiness

A Buchi automaton BA = (S ,Σ,T ,S0,A) accepts the emptylanguage if there is no word w ∈ Σω accepted by BA.

Must determine that there is NO infinite path from an initial statethat visits an accepting state infinitely?

About Infinite Paths in Graphs

An infinite path through a graph will eventually be trapped in a stronglyconnected component of the graph.

There is one terminal strongly connected component.

There are two maximal strongly connected components.

The emptiness check on Buchi automata

Given a Buchi automaton BA = (S ,Σ,T ,S0,A), compute its setof reachable strongly connected components, SCCs.

For each strongly connected component C of SCCs, check if theintersection of the states of C with A is empty.

If there is no strong component containing an accepting state, theBuchi is empty.

The reachable SCCs can be computed in time of order |S |+ |T |using Tarjan’s Depth First Search algorithm (see DER notes).

Or tailor a double DFS searchUse two depth first searches. When an accepting state is reached and itssuccessors visited, start a new dfs search from the accepting state todetermine whether it is in a cycle, i.e. it is reachable from itself.

Double Depth First Search — outline

void isEmpty() {

forall initial states s { firstDFS(s) }

terminate with false;

void firstDFS(state s) {

add s to visited store and mark on 1st search;

forall successors s’ of s

if (s’ not visited) firstDFS(s’);

if (s is an accepting state) secondDFS(s);

mark s as not on 1st search;

void secondDFS(state s) {

mark s as visited on 2nd search;

forall successors s’ of s

if (s’ on stack of 1st search) terminate with true;

else if (s’ not on path of 2nd search) secondDFS(s’);

remove 2nd search mark for s;

Building a Product of Buchi automata

Given BA1 = (S1,Σ,T1,S01,A1) and BA2 = (S2,Σ,T2,S02,A2)

How do we construct BA3 such that L(BA3) = L(BA1) ∩ L(BA2)?

Build a product automaton BA3 where:

S3 = S1 × S2 × {0, 1, 2}Σ3 = ΣT3 = {((s1, s2, x), α, (t1, t2, y)) |

(s1, α, t1) ∈ T1 and (s2, α, t2) ∈ T2 and condition}S03 = S01 × S02 × {0}A3 = S1 × S2 × {2}

where condition is

if t1 ∈ A1 ∧ x == 0 then y == 1if t2 ∈ A2 ∧ x == 1 then y == 2if x = 2 then y == 0otherwise x == y

Product — some explanation

The product definition is more complex than before because of thedifferent acceptance condition.

The product of the two acceptance sets is no longer sufficient —the individual component acceptance states may be visited atdifferent time.

The state markers, 0, 1, and 2, keep track of the individualcomponent acceptance.

1. marker 0 indicates that no accepting state has been visited

2. marker 1 means that an accepting state of the firstcomponent has been visited

3. marker 2 means that accepting states from both componentshave been visited

Product Example

Consider the product of the two Buchi automata below.The first defines (p|q)ω, the second is (p∗q)ω.

There are 6 possible states in the product BA:

(s, t0, 0) (s, t0, 1) (s, t0, 2)(s, t1, 0) (s, t1, 1) (s, t1, 2)

The initial state set is {(s, t0, 0)}The acceptance state set is {(s, t0, 2), (s, t1, 2)}The transitions . . .

And the composition is ...

Complementation of Buchi Automata

• Buchi automata are closed under complementation

• The complement construction is difficult and of highcomplexity

• Most well-known solution is Safra’s construction — but this isbeyond what we can consider here

• And it is far far better to avoid it, how?

• As we most often build a Buchi automaton from a temporalformula, we can complement the formula very easily beforeconstructing the automaton.

Outline

From Kripke Structures to BA

To apply the above automata methods to model checking, mustconstruct a BA corresponding to a Kripke structure K such that:

{w |∃σ ∈ paths(K ).∀i ∈ {0..|σ| − 1}.I (σi ) = wi} = L(FA)

The alphabet Σ is taken as 2AP where AP are the atomicpropositions of the Kripke structure.

The state-transition structure of the automaton is obtained byprefixing that of the Kripke structure with a new (single) initialstate, which is connected to all previous initial states.

The labelling of each state s is then attached to each of s’sincoming transitions.

We make all states of the automaton accepting ones.

As an example ...

For example:

Model Checking linear temporal logic properties

And now you have the ingredients to model check (linear)temporal logic properties of concurrent programs!

1. build a Kripke structure corresponding to the concurrent program

2. and convert to an infinite word automaton — the programautomaton

3. construct a Buchi automaton corresponding to the negation of thedesired property

4. build the product of the program automaton with thecomplemented property automaton

5. if the product is empty, property holds for all program behaviours

6. if the product is non-empty, it provides a counterexample

Outline

Summary ...

• We have given a little insight into a SERIOUS application ofgraph algorithms

• Model checking technology has truly proved itself over thepast 15 years

• Major advances on the basic automata-theoretic approacheshave been made

• These include:• extension to tree-automata for branching time logics• development of symbolic encodings, e.g. Ordered Binary

Decision Diagrams, to represent transition systems andautomata

• various attacks to attack the combinatorial state spaceexplosion

comp30172: advanced algorithms - automata-based verification...

Documents